We were graced with one more typical “degen yield farm” popping in and out of relevance this week.
Harvest Finance collected as much as $1 billion in total value locked before an “economic exploit” sent it tumbling down. Its value locked measure now hovering around $300 million and prospects for a recovery looking bleak.
The exploit has once again reignited debates among DeFi community members as to whether these types of flash loan-based arbitrage attacks are actually hacks.
Harvest features yield farming vaults similar to Yearn’s. They issue tokenized vault shares based on the value of the assets supplied by users. Some of these vaults rely on Curve’s Y pool, which powers liquidity for swaps between USDT, USDC, DAI and TUSD.
The attack used flash loans to convert $17 million USDT into USDC through Curve, temporarily boosting the USDC price to $1.01. The attacker then used another flash-loaned stash of some $50 million USDC — which the system considered to be worth $50.5 million — to enter the Harvest USDC vault.
After entering, the attacker would reverse the previous USDC trade back into USDT to bring the price in balance, and then immediately redeem their shares of Harvest’s pools to receive $50.5 million in USDC — a net profit of $500,000 per cycle repeated enough times to obtain $24 million in loot.So is this a hack or not?
Technically, there were no vulnerabilities involved here. There was a bypassed check for these types of “arbitrage trades” that detects if the price of these stablecoins deviates too much from their intended value. But it was already set quite low and it’s really more of a mild inconvenience than an actual blocker — an attacker just needs to use more exploitation cycles.This sequence is dizzying, and it still omits many steps.
So in that sense, proponents of the theory that this is just an arbitrage trade are correct — there is no unintended behavior in the code, it’s more like weaponi...